fix(security): patch CVEs in playground modules - thymeleaf SSTI, actuator auth bypass, logback CVE-2026-1225

dtoxvanilla1991 · dtoxvanilla1991 · commit b45a55139fdc · 2026-04-19T01:03:32.000+01:00
- thymeleaf + thymeleaf-spring6: 3.1.3.RELEASE → 3.1.4.RELEASE (SSTI fix, all 3 thymeleaf playground modules) - spring-boot-starter-actuator: 3.5.6/3.5.5 → 3.5.12 (auth bypass fix) - logback-classic: 1.5.19 → 1.5.32 (CVE-2026-1225 ACE fix, resolves #228) Closes #228
diff --git a/playground/kinde-springboot-pkce-client-example/pom.xml b/playground/kinde-springboot-pkce-client-example/pom.xml
@@ -27,6 +27,16 @@
             <artifactId>spring-boot-starter-thymeleaf</artifactId>
             <version>3.5.5</version>
         </dependency>
+        <dependency>
+            <groupId>org.thymeleaf</groupId>
+            <artifactId>thymeleaf</artifactId>
+            <version>3.1.4.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>org.thymeleaf</groupId>
+            <artifactId>thymeleaf-spring6</artifactId>
+            <version>3.1.4.RELEASE</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
diff --git a/playground/kinde-springboot-starter-example/pom.xml b/playground/kinde-springboot-starter-example/pom.xml
@@ -32,7 +32,7 @@
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-actuator</artifactId>
-      <version>3.5.6</version>
+      <version>3.5.12</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -47,12 +47,12 @@
     <dependency>
       <groupId>org.thymeleaf</groupId>
       <artifactId>thymeleaf</artifactId>
-      <version>3.1.3.RELEASE</version>
+      <version>3.1.4.RELEASE</version>
     </dependency>
     <dependency>
       <groupId>org.thymeleaf</groupId>
       <artifactId>thymeleaf-spring6</artifactId>
-      <version>3.1.3.RELEASE</version>
+      <version>3.1.4.RELEASE</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -73,7 +73,7 @@
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-classic</artifactId>
       <scope>runtime</scope>
-      <version>1.5.19</version>
+      <version>1.5.32</version>
     </dependency>
 
     <dependency>
diff --git a/playground/kinde-springboot-thymeleaf-full-example/pom.xml b/playground/kinde-springboot-thymeleaf-full-example/pom.xml
@@ -28,7 +28,7 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
-            <version>3.5.5</version>
+            <version>3.5.12</version>
         </dependency>
 
         <dependency>
@@ -61,6 +61,16 @@
             <artifactId>spring-boot-starter-thymeleaf</artifactId>
             <version>3.5.5</version>
         </dependency>
+        <dependency>
+            <groupId>org.thymeleaf</groupId>
+            <artifactId>thymeleaf</artifactId>
+            <version>3.1.4.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>org.thymeleaf</groupId>
+            <artifactId>thymeleaf-spring6</artifactId>
+            <version>3.1.4.RELEASE</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-devtools</artifactId>
